Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Http doesn't pass through Pix/Asa version 8

Hi all.

I have an customer with pix versions 8. They are part of an monitoring setup. This application works with http traffic (web services) over an non-standard port. The pix is configured with the usual Acl, static and the default inspection rules.

This setup did work with version 7.x. Now is it updated and it doesn't pass traffic. The hitcount on my Acl also doesn't increase.

This problem occurs on an Pix v.8 and with an other customer on Asa v.8.

Is there any way to test and pass-through traffic on non-standard ports?

TIA,

Albert

5 REPLIES

Re: Http doesn't pass through Pix/Asa version 8

Are you refering inbound traffic for particualr web server on inside? if this is correct it is assumed you have specify non-standard ports on your acl and the other end specify the non-standard port in their app query connecting to server.

the way to test from outside is simple telnet test.

e.g

telnet x.x.x.x PORT#

are any other inbound similar http services with proper static nat translations working? if the answer is no make sure you have "no sysopt noproxyarp outside"

Green

Re: Http doesn't pass through Pix/Asa version 8

I can attest to the "sysopt noproxyarp outside". The ASA decided to add the command when upgrading from 7 to 8. Remove it as jorge said and you should be ok.

New Member

Re: Http doesn't pass through Pix/Asa version 8

Thank you both for your reply.

I tried the "no sysopt noproxyarp outside" but it did not resolve the issue.

In the setup at the customer site are also some DMZ services, which are fully functional. I am also able to telnet to the non-standard port from outside, but the monitor app doesn't connect. There are no hits on the Acl, en no connections in the "show conn".

Can it have something to do with the policy-maps ?

Re: Http doesn't pass through Pix/Asa version 8

if you can hit the non-standard port from outside fine I would suspect is the monitor application, perhaps the monitor app requires TCP port range to be opened. When the monitor app client from outside queries the monitor server can you see if it hits the firewall outside interface at all? Did you do the telnet test from the monitor app? policy-maps application inspection is a possibility.

New Member

Re: Http doesn't pass through Pix/Asa version 8

The monitor app configuration should be fine, because it worked when the customer worked with version 7. After the upgrade is functionality is gone :-(

The App at the central location polls every x minutes, but the hitcount on the Acl doesn't increase. So i assume it has something to do with an process that runs before the Acl, but what can it be?

111
Views
0
Helpful
5
Replies